NEWS
Federal Communications Commission
445 12th Street, S.W.
Washington, D.C.  20554
This is an unofficial announcement of Commission action.  Release of the full text of a Commission order constitutes official action.
See MCI v. FCC. 515 F 2d 385 (D.C. Circ 1974).
News Media Information 202 / 418-0500
Internet: http://www.fcc.gov
FOR IMMEDIATE RELEASE: NEWS MEDIA CONTACT:
April 8, 2015 Neil Grace, 202-418-0506
E-mail: neil.grace@fcc.gov 
AT&T TO PAY $25 MILLION TO SETTLE CONSUMER PRIVACY INVESTIGATION
FCC’s Largest Data Security Enforcement Action 
Washington, D.C. – The Federal Communications Commission has entered a $25 million settlement with 
AT&T Services, Inc. to resolve an investigation into consumer privacy violations at AT&T’s call centers 
in Mexico, Colombia, and the Philippines.  The data breaches involved the unauthorized disclosure of 
almost 280,000 U.S. customers’ names, full or partial Social Security numbers, and unauthorized access 
to protected account-related data, known as customer proprietary network information (CPNI). This is the 
FCC’s largest privacy and data security enforcement action to date.
According to an investigation by the FCC’s Enforcement Bureau, these data breaches occurred when 
employees at call centers used by AT&T in Mexico, Colombia, and the Philippines accessed customer 
records without authorization. These employees accessed CPNI while obtaining other personal 
information that was used to request handset unlock codes for AT&T mobile phones, and then provided 
that information to unauthorized third parties who appear to have been trafficking in stolen cell phones or 
secondary market phones that they wanted to unlock.  
“As the nation's expert agency on communications networks, the Commission cannot — and will not —
stand idly by when a carrier’s lax data security practices expose the personal information of hundreds of 
thousands of the most vulnerable Americans to identity theft and fraud,” said FCC Chairman Tom 
Wheeler. “As today’s action demonstrates, the Commission will exercise its full authority against 
companies that fail to safeguard the personal information of their customers.”
“Consumers trust that their phone company will zealously guard access to sensitive personal information 
in customer records,” said Travis LeBlanc, Chief of the Enforcement Bureau.  “Today’s agreement shows 
the Commission’s unwavering commitment to protect consumers’ privacy by ensuring that phone 
companies properly secure customer data, promptly notify customers when their personal data has been 
breached, and put in place robust internal processes to prevent against future breaches.  We hope that all 
companies will look to this agreement as guidance.”
In May 2014, the Enforcement Bureau launched its investigation into a 168-day data breach that took 
place at an AT&T call center in Mexico between November 2013 and April 2014.  During this period, 
three call center employees were paid by third parties to obtain customer information — specifically, 
names and at least the last four digits of customers’ Social Security numbers — that could then be used to 
submit online requests for cellular handset unlock codes.  The three call center employees accessed more 
than 68,000 accounts without customer authorization, which they then provided to third parties who used 
that information to submit 290,803 handset unlock requests through AT&T’s online customer unlock 
request portal. 
The Enforcement Bureau also learned during the course of its investigation that AT&T had additional 
data breaches at other call centers in Colombia and the Philippines.  AT&T informed the Bureau that 
approximately 40 employees at the Colombian and Philippine facilities had also accessed customer 
names, telephone numbers, and at least the last four digits of customer Social Security numbers to obtain 
unlock codes for AT&T mobile phones.  Approximately 211,000 customer accounts were accessed in 
connection with the data breaches in the Colombian and Philippine facilities.  
As a condition of settlement, AT&T will pay a $25 million civil penalty.  The company will also notify 
all customers whose accounts were improperly accessed.  AT&T will pay for credit monitoring services 
for all consumers affected by the breaches in Colombia and the Philippines.
Additionally, AT&T will be required to improve its privacy and data security practices by appointing a 
senior compliance manager who is a certified privacy professional, conducting a privacy risk assessment, 
implementing an information security program, preparing an appropriate compliance manual, and 
regularly training employees on the company’s privacy policies and the applicable privacy legal 
authorities.  AT&T will file regular compliance reports with the FCC.  
The failure to reasonably secure customers’ personal information violates a carrier’s duty under Section 
222 of the Communications Act, and also constitutes an unjust and unreasonable practice in violation of 
Section 201 of the Act.  The Commission has made clear that it expects telecommunications carriers to 
take “every reasonable precaution” to protect their customers’ data. The Commission has also adopted 
rules that require carriers to take reasonable measures to discover, report, and protect against attempts to 
access CPNI without authorization. 
With this action, the Commission has taken five major enforcement actions valued at over $50 million in
the last year to protect consumer privacy and data security.  In May 2014, the Commission announced a 
$2.9 million planned fine against Dialing Services, LLC, for violating Commission rules that seek to 
protect consumers from harassing, intrusive, and unwanted robocalls to mobile devices.  Also in May 
2014, Sprint Corporation entered into a $7.5 million settlement to resolve an investigation into Sprint’s 
failure to honor consumers’ do-not call or do-not-text requests.  In September 2014, the Commission 
reached a $7.4 million settlement with Verizon to address the company’s unlawful marketing to two 
million customers without their consent or notification of their privacy rights.  In October 2014, the 
Commission announced a $10 million planned fine against TerraCom, Inc., and YourTel America, Inc., 
for failing to provide reasonable protection for customers’ personal information.  
For more information about the FCC’s rules protecting the privacy of consumer’s personal information, 
see: http://www.fcc.gov/encyclopedia/consumer-publications-library#Privacy
The AT&T Order and Consent Decree are available at: 
https://apps.fcc.gov/edocs_public/attachmatch/DA-15-399A1.pdf  
The Dialing Services NAL is available at: https://apps.fcc.gov/edocs_public/attachmatch/FCC-14-
59A1.pdf
The Sprint Consent Decree is available at: https://apps.fcc.gov/edocs_public/attachmatch/DA-14-
527A1.pdf
The Verizon Consent Decree is available at: https://apps.fcc.gov/edocs_public/attachmatch/DA-14-
1251A1.pdf
The Terracom/YourTel NAL is available at: https://apps.fcc.gov/edocs_public/attachmatch/DA-13-
285A1.pdf
-FCC-